1. Field of the Invention
The present invention relates to an public-key certificate issuance request processing system and an public-key certificate issuance request processing method for issuing and managing an public-key certificate that testifies validity of an public-key used to transmit encrypted data, and managing such public-key certificates. More particularly, the present invention is concerned with an public-key certificate issuance request processing system composed mainly of a certificate authority and registration authorities that are hierarchically structured, and an public-key certificate issuance request processing method. The certificate authority is an organization for issuing a public-key certificate. Each of the registration authorities receives a request for issuance of a public-key certificate made by an end entity, which is a user, to the certificate authority.
2. Description of the Related Art
What is booming these days is distribution of diverse software packages (which shall be referred to as contents), such as, audio data, image data, game programs, and other various application programs over the Internet or any other network. Moreover, even in the fields of online shopping and financial dealings, processing over a network is popular.
In data communication over a network, after a data transmitting side and a data receiving side confirm that their partners are authentic objects of data transmission or data reception, required information is transferred. In short, a secure data transmission method is adopted generally. Technologies for ensuring security for data transfer include encryption of data to be transferred and signing of data.
Encrypted data to be transferred is translated back to usable decrypted data through a predetermined decrypting procedure. A data encrypting/decrypting method that uses an encryption key to encrypt information and uses a decryption key to decrypt encrypted information has been widely adopted in the past.
The data encrypting/decrypting method that employs the encryption key and decryption key is realized in various forms. One of the forms is a so-called public-key encryption technology. The public-key encryption technology is such that: a key used by an originator and a key used by a recipient are different from each other; one of the keys is a public key usable by an unspecified number of users; and the other key is a secret key known only to one user. For example, the public key is adopted as the data encryption key, and the secret key is adopted as the data decryption key. Otherwise, the secret key is adopted as a certifier production key, and the public key is adopted as a certifier decryption key.
Unlike a common-key encryption technology that employs a common key in encryption and decryption alike, according to the public-key encryption technology, the secret key that must be kept secret is known only to one person and can therefore be managed easily. However, compared with the common-key encryption technology, the public-key encryption technology suffers a low data processing rate. The public-key encryption technology is therefore adapted to a case where only a small amount of data is distributed as the secret key or as a digital signature. A typical public-key encryption technology is the RSA (which stands for Rivest, Shamir, and Adleman) technology. The RSA technology employs a product of two very large prime numbers (of, for example, 150 digits long) and utilizes the difficulty in factorization of the product of two large prime numbers (for example, 150 digits).
The public-key encryption technology allows an unspecified number of people to use the public key. A method of employing a certificate, which states that a distributed public key is valid, that is, a so-called public-key certificate is widely adopted. For example, user A produces a pair of a public key and a secret key, transmits the produced public key to a certificate authority, and receives a public key certificate from the certificate authority. User A allows the general public to access the public key certificate. An unspecified number of users checks the public key certificate, gets the public key according to a predetermined procedure, encrypts a document or the like, and transmits the resultant document to user A. User A uses a secret key to decrypt the encrypted document or the like. Moreover, user A uses the secret key to sign a document or the like. An unspecified number of users checks the public key certificate, gets the public key according to the predetermined procedure, and verifies the signature.
The public key certificate will be described in conjunction with FIG. 1. The public key certificate is a certificate issued from the certificate authority (CA) (or issuer authority (IA)) employed in the public-key encryption technology. A user presents his/her own identifier (ID) and public key to the certificate authority. The certificate authority appends information such as an own ID and an effective period to the certificate, and adds a signature thereto. Thus, the public key certificate is completed.
The public key certificate shown in FIG. 1 consists of a version number assigned to the certificate, a serial number which the certificate authority assigns to a user, an algorithm and parameters used to produce a digital signature, the name of the certificate authority, the effective period during which the certificate is effective, the name of a certificate user (user ID), and a public key and an digital signature produced by the certificate user.
The digital signature is data produced by applying a secret key produced by the certificate authority to hash values. The hash values are produced by applying a hashing function to the version number assigned to the certificate, the serial number which the certificate authority assigns to the certificate user, the algorithm and parameters used to produce the digital signature, the name of the certificate authority, the effective period of the certificate, the name of the certificate user, and the public key produced by the certificate user.
The certificate authority issues the public key certificate shown in FIG. 1, and updates a public key certificate whose effective period is expired. Moreover, the certificate authority creates, manages, and distributes a black list for the purpose of driving out dishonest users (this action shall be referred to as revocation). Moreover, the certificate authority produces a public key and a secret key if necessary.
When a user wants to utilize the public key certificate, the user uses his/her own public key assigned by the certificate authority, and verifies the digital signature of the public key certificate. After the user succeeds in verifying the digital signature, the user retrieves the public key from the public key certificate and uses the public key. All users who use the public key certificate must therefore have the common public key assigned by the certificate authority.
As mentioned above, e-commerce that includes buying and selling of products with digital cash via electronic data interchange, which utilizes the Internet, is growing rapidly. A secure mechanism for certifying that an individual is who he/she claims to be or certifying that a message is what the message should be is essential for two parties to have secure electronic dealings with each other. One of means for realizing the mechanism that have attracted attention most greatly is a certification system that utilizes the aforesaid public key and the public key certificate issued from a certification authority.
In a data transmission system that adopts the aforesaid public-key encryption technology which utilizes a public key certificate issued from a certification authority, it is necessary to construct a certification system that requests a certificate authority to issue a public key certificate for an unprecedented public key.
For example, a service provider who provides a service of, for example, distributing contents or selling products or a user who receives the service from the service provider must apply to a certificate authority for issuance and management of a public key certificate for a public key specific to a new service. Otherwise, the user cannot use the new public key. This results in an increase in an amount of time-consuming processing that the certificate authority must perform. The time-consuming processing accompanies issuance of a public key certificate and includes user screening.
Processing to be performed by the certificate authority falls broadly into the processing that is performed as the role of an issuer authority of issuing a public key certificate and the processing that is performed as the role of a registration authority of receiving and examining an issuance request. In terms of issuance and management of a public key certificate, the role of the issuer authority is highly common and less dependent on a service. In contrast, the role of the registration authority of registering and examining a public key certificate has close relation to each service and depends highly on a service. An existing certificate authority has the roles of both the issuer authority and registration authority integrated thereinto. The certificate authority therefore must incur a very large load in providing a certification service.